Eclipse Steady

Eclipse Steady - Analysis Report

Generated:

at:

07.07.2023 04:38 +0800


with:

3.2.4


Target:

Workspace:

5BB7592E24354F20143D405D1B106088


Group:

de.jonashackt.tutorial


Artifact:

build-all-tutorial-projects


Version:

0.0.1-SNAPSHOT


Aggregated projects (12) +

Links:

Analysis Result: Success


No vulnerabilities, thus, no build exception is thrown The findings presented below represent archives containing code that is subject to a specific vulnerability. Expand to see the vulnerability description and the CVSS score (if any). While the first table column indicates that vulnerable code is contained, the other two columns show whether that vulnerable code is reachable according to the static and dynamic analyses (if performed using the respective analysis goals). Hover over the table cells to see the full identifier (GAV) of the affected application project as well as details about the respective dependency.

Used Configuration Settings

exceptionThreshold: noException
Specifies if and when the plugin will throw a build exception.

Possible values (default: dependsOn):
  • noException - no build exception will be thrown, regardless of the analysis results
  • dependsOn - an exception will be thrown if at least one application project depends on an archive with known vulnerabilities (typically by declaring a dependency in the POM file)
  • potentiallyExecutes - an exception will be thrown if at least one application project can potentially execute vulnerable code (according to static source code analysis).
  • actuallyExecutes - an exception will be thrown if at least one application project actually executes vulnerable code during application tests.


Exempted scopes: TEST, PROVIDED List of scopes that will be ignored (exempted) when deciding whether to throw a build exception.

Example: vulas.report.exemptScope = test, provided
Possible values: compile, provided, runtime, test, system
Default: [test, provided]


Exempted bugs: List of security vulnerabilities that will be ignored (exempted) when deciding whether to throw a build exception.

Example: vulas.report.exemptBug.CVE-2014-0050.reason = Lorem ipsum
Default: none

Vulnerabilities (0)

Exempted Vulnerabilities (182)

commons-io-2.5.jar

affected by

CVE-2021-29425

Archive Digest: 2852E6E05FBB95076FC091F6D1780F1F8FE35E0F
CVSS Score: 4.8 (v3.1)

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.6.jar

affected by

CVE-2014-0109

Archive Digest: ABF6A1B33BB153F16D67C32159A78BDA8DFB68C3
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.6.jar

affected by

CVE-2014-0110

Archive Digest: ABF6A1B33BB153F16D67C32159A78BDA8DFB68C3
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.6.jar

affected by

CVE-2019-12406

Archive Digest: ABF6A1B33BB153F16D67C32159A78BDA8DFB68C3
CVSS Score: 6.5 (v3.1)

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". 1 descriptions from different sources:[0] Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  9. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  10. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.7.jar

affected by

CVE-2014-0109

Archive Digest: 679C1D2AB838BD7B53B82140199648051B2ADFEC
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (memory consumption) via a large request with the Content-Type set to text/html to a SOAP endpoint, which triggers an error.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.7.jar

affected by

CVE-2014-0110

Archive Digest: 679C1D2AB838BD7B53B82140199648051B2ADFEC
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-core-3.1.7.jar

affected by

CVE-2019-12406

Archive Digest: 679C1D2AB838BD7B53B82140199648051B2ADFEC
CVSS Score: 6.5 (v3.1)

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count". 1 descriptions from different sources:[0] Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-rt-transports-http-3.1.6.jar

affected by

CVE-2014-0110

Archive Digest: 82F254C909FF12ECAEBB89189D8B0FC7054C4AD1
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  1. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step1_simple_springboot_app_with_cxf Reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step2_wsdl_2_java_maven Reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false

cxf-rt-transports-http-3.1.6.jar

affected by

CVE-2019-17573

Archive Digest: 82F254C909FF12ECAEBB89189D8B0FC7054C4AD1
CVSS Score: 6.1 (v3.1)

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  9. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false
  10. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: false

cxf-rt-transports-http-3.1.7.jar

affected by

CVE-2014-0110

Archive Digest: 11D1433937463C1B717916CB7DDF8A91620DE22C
CVSS Score: 4.3 (v2.0)

Apache CXF before 2.6.14 and 2.7.x before 2.7.11 allows remote attackers to cause a denial of service (/tmp disk consumption) via a large invalid SOAP message.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

cxf-rt-transports-http-3.1.7.jar

affected by

CVE-2019-17573

Archive Digest: 11D1433937463C1B717916CB7DDF8A91620DE22C
CVSS Score: 6.1 (v3.1)

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

httpclient-4.5.2.jar

affected by

CVE-2013-4366

Archive Digest: 733DB77AA8D9B2D68015189DF76AB06304406E50
CVSS Score: 9.8 (v3.1)

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: false
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: false
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: false

jackson-databind-2.6.5.jar

affected by

CVE-2017-17485

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.1)

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2017-7525

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.1)

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2018-11307

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.1)

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2018-12022

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2018-12023

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2018-5968

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 8.1 (v3.1)

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. 1 descriptions from different sources:[0] FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2018-7489

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.0)

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2019-14540

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2019-16335

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.5.jar

affected by

CVE-2020-36518

Archive Digest: D50BE1723A09BEFD903887099FF2014EA9020333
CVSS Score: 7.5 (v3.1)

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2017-17485

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.1)

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2017-7525

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.1)

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2018-11307

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.1)

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2018-12022

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2018-12023

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2018-5968

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 8.1 (v3.1)

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. 1 descriptions from different sources:[0] FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2018-7489

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.0)

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2019-14540

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2019-16335

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.6.6.jar

affected by

CVE-2020-36518

Archive Digest: 5108DDE6049374BA980B360E1ECFF49847BABA4A
CVSS Score: 7.5 (v3.1)

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2017-17485

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.1)

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2017-7525

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.1)

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2018-11307

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.1)

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2018-12022

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2018-12023

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 7.5 (v3.0)

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2018-5968

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 8.1 (v3.1)

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. 1 descriptions from different sources:[0] FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2018-7489

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.0)

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2019-14540

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2019-16335

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 9.8 (v3.1)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

jackson-databind-2.8.3.jar

affected by

CVE-2020-36518

Archive Digest: CEA3788C72271D45676CE32C0665991674B24CC5
CVSS Score: 7.5 (v3.1)

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-beans-4.2.5.RELEASE.jar

affected by

CVE-2022-22965

Archive Digest: FA992AE40F6FC47117282164E0433B71DA385E94
CVSS Score: 9.8 (v3.1)

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-beans-4.2.6.RELEASE.jar

affected by

CVE-2022-22965

Archive Digest: D4A319FB4D949FB6313F45C929947B9B4E26283E
CVSS Score: 9.8 (v3.1)

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-beans-4.3.3.RELEASE.jar

affected by

CVE-2022-22965

Archive Digest: 8E446175B4C8F9BF42ABFA11E8194CB729171675
CVSS Score: 9.8 (v3.1)

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.5.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: 0251207B29F0F38F61E3495A2F7FB053CF1BFE8C
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.5.RELEASE.jar

affected by

CVE-2015-0201

Archive Digest: 0251207B29F0F38F61E3495A2F7FB053CF1BFE8C
CVSS Score: 5.0 (v2.0)

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.5.RELEASE.jar

affected by

CVE-2018-1272

Archive Digest: 0251207B29F0F38F61E3495A2F7FB053CF1BFE8C
CVSS Score: 7.5 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.6.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: A1C6EF01F18888F51FC5054C65EF4787B7CF0A1E
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.6.RELEASE.jar

affected by

CVE-2015-0201

Archive Digest: A1C6EF01F18888F51FC5054C65EF4787B7CF0A1E
CVSS Score: 5.0 (v2.0)

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.2.6.RELEASE.jar

affected by

CVE-2018-1272

Archive Digest: A1C6EF01F18888F51FC5054C65EF4787B7CF0A1E
CVSS Score: 7.5 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.3.3.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: FFAD13BE3DAC6EEF7D2418A9DE87C2A1592D3033
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.3.3.RELEASE.jar

affected by

CVE-2015-0201

Archive Digest: FFAD13BE3DAC6EEF7D2418A9DE87C2A1592D3033
CVSS Score: 5.0 (v2.0)

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-core-4.3.3.RELEASE.jar

affected by

CVE-2018-1272

Archive Digest: FFAD13BE3DAC6EEF7D2418A9DE87C2A1592D3033
CVSS Score: 7.5 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.2.5.RELEASE.jar

affected by

CVE-2018-1270

Archive Digest: A42BDFB833D0BE6C18429AEA3FB0FBA81F85C6E8
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.2.5.RELEASE.jar

affected by

CVE-2018-1275

Archive Digest: A42BDFB833D0BE6C18429AEA3FB0FBA81F85C6E8
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.2.6.RELEASE.jar

affected by

CVE-2018-1270

Archive Digest: C0182D73F348AB11D51D45CBE29F3820C32D0CCC
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.2.6.RELEASE.jar

affected by

CVE-2018-1275

Archive Digest: C0182D73F348AB11D51D45CBE29F3820C32D0CCC
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.3.3.RELEASE.jar

affected by

CVE-2018-1270

Archive Digest: 5E2F2E998370BC7D93C3B2C51F88EB3F95D3A470
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-expression-4.3.3.RELEASE.jar

affected by

CVE-2018-1275

Archive Digest: 5E2F2E998370BC7D93C3B2C51F88EB3F95D3A470
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-messaging-4.2.5.RELEASE.jar

affected by

CVE-2018-1257

Archive Digest: 604103815489605ED609A742A6BBC708AE3DB12C
CVSS Score: 6.5 (v3.1)

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-messaging-4.2.5.RELEASE.jar

affected by

CVE-2018-1270

Archive Digest: 604103815489605ED609A742A6BBC708AE3DB12C
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-messaging-4.2.6.RELEASE.jar

affected by

CVE-2018-1257

Archive Digest: F7B3F8F875E055295F6ED2E552187F25B55C6920
CVSS Score: 6.5 (v3.1)

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-messaging-4.2.6.RELEASE.jar

affected by

CVE-2018-1270

Archive Digest: F7B3F8F875E055295F6ED2E552187F25B55C6920
CVSS Score: 9.8 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.5.RELEASE.jar

affected by

CVE-2014-0054

Archive Digest: A557A238342412A2C8A238DC01FB735565D1D871
CVSS Score: 6.8 (v2.0)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.5.RELEASE.jar

affected by

CVE-2014-0225

Archive Digest: A557A238342412A2C8A238DC01FB735565D1D871
CVSS Score: 8.8 (v3.0)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.5.RELEASE.jar

affected by

CVE-2014-3578

Archive Digest: A557A238342412A2C8A238DC01FB735565D1D871
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.5.RELEASE.jar

affected by

CVE-2015-3192

Archive Digest: A557A238342412A2C8A238DC01FB735565D1D871
CVSS Score: 5.5 (v3.0)

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. 1 descriptions from different sources:[0] Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.6.RELEASE.jar

affected by

CVE-2014-0054

Archive Digest: 03FDC13B31464934372F1B260C274F21491ADBFF
CVSS Score: 6.8 (v2.0)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.6.RELEASE.jar

affected by

CVE-2014-0225

Archive Digest: 03FDC13B31464934372F1B260C274F21491ADBFF
CVSS Score: 8.8 (v3.0)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.6.RELEASE.jar

affected by

CVE-2014-3578

Archive Digest: 03FDC13B31464934372F1B260C274F21491ADBFF
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-oxm-4.2.6.RELEASE.jar

affected by

CVE-2015-3192

Archive Digest: 03FDC13B31464934372F1B260C274F21491ADBFF
CVSS Score: 5.5 (v3.0)

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. 1 descriptions from different sources:[0] Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-test-4.2.5.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 60BD0AC25869D515717284B77644D0416D3A38C5
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true

spring-test-4.2.6.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 1F869333B3D64F17009A613368165978AF575D8C
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true

spring-test-4.3.3.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: C2762EE500A939DED0435D11957E7630690DE2F2
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: TEST
    Transitive dependency: true

spring-tx-4.2.5.RELEASE.jar

affected by

CVE-2014-1904

Archive Digest: 7395321FE937272D9B781A13985E04AB2DCD6210
CVSS Score: 4.3 (v2.0)

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-tx-4.2.6.RELEASE.jar

affected by

CVE-2014-1904

Archive Digest: BA7502C0644414748B1EEB65B4193B05D335A110
CVSS Score: 4.3 (v2.0)

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2013-4152

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 6.8 (v2.0)

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. 1 descriptions from different sources:[0] The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2013-6430

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 5.4 (v3.1)

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2013-7315

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 6.8 (v2.0)

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2014-0054

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 6.8 (v2.0)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2014-0225

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 8.8 (v3.0)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2014-3578

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2015-3192

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 5.5 (v3.0)

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. 1 descriptions from different sources:[0] Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2018-11039

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 5.9 (v3.1)

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2018-15756

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 7.5 (v3.1)

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.5.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 49CD2430884B77172AA81E3FC33EF668EA1DAB30
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2013-4152

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 6.8 (v2.0)

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. 1 descriptions from different sources:[0] The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2013-6430

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 5.4 (v3.1)

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2013-7315

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 6.8 (v2.0)

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2014-0054

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 6.8 (v2.0)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2014-0225

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 8.8 (v3.0)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2014-3578

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2015-3192

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 5.5 (v3.0)

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. 1 descriptions from different sources:[0] Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2018-11039

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 5.9 (v3.1)

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2018-15756

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 7.5 (v3.1)

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.2.6.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: D5CE949DA3F3266F118ED899A153413613B503AD
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2013-4152

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 6.8 (v2.0)

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. 1 descriptions from different sources:[0] The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2013-6429

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 6.8 (v2.0)

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2013-7315

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 6.8 (v2.0)

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2014-0054

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 6.8 (v2.0)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2014-0225

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 8.8 (v3.0)

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2014-3578

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2018-15756

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 7.5 (v3.1)

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Vulnerable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-web-4.3.3.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: F66F40ABFE733621768EAE0515EA0DC90BB49753
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Vulnerable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2014-1904

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 4.3 (v2.0)

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2014-3625

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2016-5007

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 7.5 (v3.0)

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2016-9878

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 7.5 (v3.0)

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2018-1271

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 5.9 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.5.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 0CF463CCE3E4453EB4B9A69DE2DCDFD60C3C57E0
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2014-1904

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 4.3 (v2.0)

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2014-3625

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 5.0 (v2.0)

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2016-5007

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 7.5 (v3.0)

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2016-9878

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 7.5 (v3.0)

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2018-1271

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 5.9 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.2.6.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 7C7EA475D33287E0E3A92E98CCBE0AD6A0DBB9CA
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.3.3.RELEASE.jar

affected by

CVE-2016-5007

Archive Digest: 729D7756BA6B41B6AE40BE9DFF076BA31946F923
CVSS Score: 7.5 (v3.0)

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.3.3.RELEASE.jar

affected by

CVE-2016-9878

Archive Digest: 729D7756BA6B41B6AE40BE9DFF076BA31946F923
CVSS Score: 7.5 (v3.0)

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Vulnerable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.3.3.RELEASE.jar

affected by

CVE-2018-1271

Archive Digest: 729D7756BA6B41B6AE40BE9DFF076BA31946F923
CVSS Score: 5.9 (v3.1)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Vulnerable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.3.3.RELEASE.jar

affected by

CVE-2020-5397

Archive Digest: 729D7756BA6B41B6AE40BE9DFF076BA31946F923
CVSS Score: 5.3 (v3.1)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. 1 descriptions from different sources:[0] Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

spring-webmvc-4.3.3.RELEASE.jar

affected by

CVE-2020-5421

Archive Digest: 729D7756BA6B41B6AE40BE9DFF076BA31946F923
CVSS Score: 6.5 (v3.1)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Vulnerable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-11784

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 4.3 (v3.0)

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-1304

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 5.9 (v3.0)

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. 1 descriptions from different sources:[0] The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-1305

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 6.5 (v3.0)

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-1336

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 7.5 (v3.1)

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-8014

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 9.8 (v3.0)

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2018-8037

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 5.9 (v3.0)

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2019-0199

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 7.5 (v3.0)

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2019-0221

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 6.1 (v3.0)

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2019-0232

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 8.1 (v3.0)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2019-17563

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 7.5 (v3.1)

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2019-17569

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 4.8 (v3.1)

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2020-13934

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 7.5 (v3.1)

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. 1 descriptions from different sources:[0] An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2020-1935

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 4.8 (v3.1)

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. 1 descriptions from different sources:[0] In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2020-1938

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 9.8 (v3.1)

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.32.jar

affected by

CVE-2021-33037

Archive Digest: 734EAD0C803525CC9C7F283438101734CA9AAC01
CVSS Score: 5.3 (v3.1)

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-11784

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 4.3 (v3.0)

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-1304

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 5.9 (v3.0)

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. 1 descriptions from different sources:[0] The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-1305

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 6.5 (v3.0)

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-1336

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 7.5 (v3.1)

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-8014

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 9.8 (v3.0)

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2018-8037

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 5.9 (v3.0)

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2019-0199

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 7.5 (v3.0)

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2019-0221

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 6.1 (v3.0)

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2019-0232

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 8.1 (v3.0)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2019-17563

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 7.5 (v3.1)

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2019-17569

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 4.8 (v3.1)

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2020-13934

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 7.5 (v3.1)

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. 1 descriptions from different sources:[0] An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2020-1935

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 4.8 (v3.1)

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. 1 descriptions from different sources:[0] In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2020-1938

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 9.8 (v3.1)

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.0.33.jar

affected by

CVE-2021-33037

Archive Digest: 4E7F547FBB2C364CB5E02A58790C5FB89E31EFED
CVSS Score: 5.3 (v3.1)

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-11784

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 4.3 (v3.0)

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-1304

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 5.9 (v3.0)

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. 1 descriptions from different sources:[0] The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-1305

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 6.5 (v3.0)

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-1336

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.1)

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-8014

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 9.8 (v3.0)

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2018-8037

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 5.9 (v3.0)

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-0199

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.0)

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-0221

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 6.1 (v3.0)

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-0232

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 8.1 (v3.0)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-10072

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.0)

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-17563

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.1)

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2019-17569

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 4.8 (v3.1)

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2020-11996

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.1)

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. 1 descriptions from different sources:[0] A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2020-13934

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 7.5 (v3.1)

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. 1 descriptions from different sources:[0] An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2020-1935

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 4.8 (v3.1)

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. 1 descriptions from different sources:[0] In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2020-1938

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 9.8 (v3.1)

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-core-8.5.5.jar

affected by

CVE-2021-33037

Archive Digest: D55E12A418FF99ECD723A118C2A28BB91079972D
CVSS Score: 5.3 (v3.1)

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Not reachable
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.0.32.jar

affected by

CVE-2018-8034

Archive Digest: 237CA58DAC66F438579750169E6CB297AC041C9D
CVSS Score: 7.5 (v3.0)

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.0.32.jar

affected by

CVE-2020-13935

Archive Digest: 237CA58DAC66F438579750169E6CB297AC041C9D
CVSS Score: 7.5 (v3.1)

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step6_soap_message_logging Unknown
    Group: de.jonashackt.tutorial
    Artifact: step6_soap_message_logging
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step2_wsdl_2_java_maven Unknown
    Group: de.jonashackt.tutorial
    Artifact: step2_wsdl_2_java_maven
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  3. step9_soap_message_logging_into_custom_elasticsearch_field Unknown
    Group: de.jonashackt.tutorial
    Artifact: step9_soap_message_logging_into_custom_elasticsearch_field
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  4. step8_logging_into_elasticstack Unknown
    Group: de.jonashackt.tutorial
    Artifact: step8_logging_into_elasticstack
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  5. step3_jaxws-endpoint-cxf-spring-boot Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  6. step7_soap_message_logging_payload_only Unknown
    Group: de.jonashackt.tutorial
    Artifact: step7_soap_message_logging_payload_only
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  7. step1_simple_springboot_app_with_cxf Unknown
    Group: de.jonashackt.tutorial
    Artifact: step1_simple_springboot_app_with_cxf
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  8. step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl Unknown
    Group: de.jonashackt.tutorial
    Artifact: step3_jaxws-endpoint-cxf-spring-boot-orig-wsdl
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.0.33.jar

affected by

CVE-2018-8034

Archive Digest: BE1F95E5D9AE00F9BC6138441D29CFE5C7C60256
CVSS Score: 7.5 (v3.0)

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.0.33.jar

affected by

CVE-2020-13935

Archive Digest: BE1F95E5D9AE00F9BC6138441D29CFE5C7C60256
CVSS Score: 7.5 (v3.1)

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step4_test Unknown
    Group: de.jonashackt.tutorial
    Artifact: step4_test
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  2. step5_custom-soap-fault Unknown
    Group: de.jonashackt.tutorial
    Artifact: step5_custom-soap-fault
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.5.5.jar

affected by

CVE-2018-8034

Archive Digest: FD99CD1CD4C824ABDF03466F0509F067747F0D1A
CVSS Score: 7.5 (v3.0)

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true

tomcat-embed-websocket-8.5.5.jar

affected by

CVE-2020-13935

Archive Digest: FD99CD1CD4C824ABDF03466F0509F067747F0D1A
CVSS Score: 7.5 (v3.1)

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Includes vulnerable code Potentially executes vulnerable code Executes vulnerable code
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true
  1. step10_simple_app_with_cxf-spring-boot-starter Unknown
    Group: de.jonashackt.tutorial
    Artifact: step10_simple_app_with_cxf-spring-boot-starter
    Version: 0.0.1-SNAPSHOT
    Scope: COMPILE
    Transitive dependency: true